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Abstract. Weak pseudorandom functions (wPRFs) found an important 
application as main building blocks for leakage-resilient ciphers (EURO- 
CRYPT’09). Several security bounds, based on different techniques, were 
given to these stream ciphers. The security loss in these reduction-based 
proofs is always polynomial, but has not been studied in detail. The aim 
of this paper is twofold. First, we present a clear comparison of quan¬ 
titatively different security bounds in the literature. Second, we revisit 
the current proof techniques and answer the natural question of how 
far we are from meaningful and provable security guarantees, when in¬ 
stantiating weak PRFs with standard primitives (block ciphers or hash 
functions). In particular, we demonstrate a flaw in the recent (TCC’14) 
analysis of the EUROCRYPT’09 stream cipher Our approach is a time- 
to-success ratio analysis, a universal measure introduced by Luby, which 
allow us to compare different security bounds. 
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1 Introduction 

1.1 Leakage-resilient cryptography 

Leakage Resilience. Traditional security notions in cryptography consider adver¬ 
saries who can interact with a primitive only in a black-box manner, observing its 
input/output behavior. Unfortunately, this assumption is unrealistic in practice. 
In fact, information might leak from cryptograms at the physical implementation 
layer. The attacks that capture information this way are called side-channel at¬ 
tacks, and include power consumption analysis [KJJ99], timing attacks [Koc96], 
fault injection attacks [BBKN12] or memory attacks [HSH+08]. Searching for 
countermeasures against side-channel attacks, one can try to prevent them modi¬ 
fying software or futher secure hardware. However, these techniques are more ad- 
hoc than generic. A completely different viewpoint is to provide primitives which 
are provably secure against leakage. The research field following this paradigm 
is called leakage-resilient cryptography , and has become very popular in recent 
years. A lot of work and progress has been done in this topic so far, since the 
breakthrough paper on resilient stream ciphers [HP08], much more than we could 
mention here. We refer the reader to [ADW10] and [MollO] for good surveys. 


Modeling leakage. A number of ways to capture the leakage has been proposed. 
Very first works focused on strongly restricting the type of leakage. Here we very 
briefly discuss most important ones, referring interested readers to surveys. 

— exposure resilient cryptography. In this line of work, the type of leakage is 
restricted so that adversaries learn subsets of the bits of the secret state 
key [CDH+00,DSS01]. 

— continuous bounded computational leakage. Perhaps the most pupular line of 
research restricting the leakage type, based on the “only computation leaks 
information” axiom introduced Micali and Reyzin [MRO ]. In this modelling 
approach the overal execution of a cryptographic protocol is divided into 
time frames, and in every round leakage comes only from the parts of the 
internal state which are touched by computations. The amount of leakage 
is bounded in every round but unbounded overall. This model successfully 
captures side-channels attacks resulting from computation [MollO], however 
memory attacks are more problematic as they are possible even if no com¬ 
putation is performed [ 1SH+08]. Nonetheless, leakage-resilient constructions 
under the “only computation leaks information” assumption, are of big in¬ 
terests [DP08,Pic09,DP10,FPS12,YS13], to mention only stream-ciphers re¬ 
lated works. We also note that in specific cases, in particular for stream 
ciphers we will be interested in, the authors argue that their security mod¬ 
els go beyond the “only computation leaks information” assumption and 
actually capture memory attacks (cf. [ ie09] ). 

— probing attacks. In this approach, initiated in [ 1W03], adversaries can learn 
or influence the values at some wires, during the evaluation of a cicuit. 

— auxiliary inputs. The works [ )KL09,DGTK + 10] study a setting where ad¬ 
versaries can learn a function of the secret state, which is hard to invert. 
It allows leaking information larger than the size of the secret state and is 
believed to be most practical. However, it is also considered very challenging 
for proving security of constructions. 

Being interested in leakage-resilient stream ciphers, we follow the related works 
and focus on continuous computational leakage through this paper (see Section 2 
for a formal definition in the concrete setting). 


1.2 Leakage-resilient stream ciphers. 

What are stream ciphers? The purpose of stream ciphers is to efficiently encrypt 
data streams of arbitrary length. The most popular constructio mimics the one¬ 
time pad encryption, by deploying a generator which stretches the initial ran¬ 
domness into a keystream. Such a generator, when initialized with a secret state, 
recursively computes a sequence of output blocks where the security requirement 
is that the last part look random given the previous outputs. 

Leakage-resilient design. The main concern in proving leakage-resilience is that 
the keystream generator must be secure against leakages, which appear in every 


round (in the continuous leakage model). Such a generator could be deployed 
either with a pseudorandom generator and extractor [DP08], or a weak pseu¬ 
dorandom functions [ :> ie09,YSPY10,FPS12,YS13]. In any case, the idea is to 
refresh the secret state (key) in every round, to make compromising it possibly 
difficult. Below we briefly discuss some advantages of the second approach, and 
return to a more detailed discussion of the concrete designs in Section 3. 

Why wPRFs-based design? Informally, pseudorandom functions look random on 
many adversarialy chosen inputs (under a uniform secret key), whereas weak 
pseudorandom functions look random only on random inputs. Below we elab¬ 
orate more on why weak pseudorandom functions are of special interests for 
leakage-resilient stream cipher constructions. 

(a) From a high-level viewpoint, we have at least two very good reasons to build 
leakage-resilient stream ciphers using weak PRFs, as proposed in [Pie09]. 
First, this approach is simple and thus more efficient to implement and 
much easier to analyze than the original proposal [DP08], which combines 
a pseudorandom generator and an extractor. Second, and most important, 
it less vurnelable to side-channel attacks and more reliable from a practical 
viewpoint. This is because the construction can be instantiated with only one 
component - a weak PRF. Mounting an attack against one component is less 
likely, as opposed to the original construcion [StalO,MSll,MSJ12]. Moreover, 
this construction is more reliable from a practical viewpoint when instanti¬ 
ated with block ciphers understood as weak PRFs (like AES), because their 
security against side-channel attacks has been carefully analyzed. 

(b) From a technical viewpoint, weak pseudorandom functions are primitives 
very pleasurable to deal with in the context of leakage. As opposed to 
(strong) pseudorandom functions they can be shown to remain secure with 
weak keys (that is when keys are not uniform but have some entropy def- 
ficiency), which is the key ingredient of the cipher resilience proof. Secu¬ 
rity with weak keys can be proven either by a computational variant of 
the Dense Model Theorem [Pie09] or by a recent techniques involving the 
square-security notion [DY13]. 

Security. The stream cipher is considered secure, if for a sequence of its out¬ 
puts, the last round output block looks pseudorandom, given the outputs from 
previous rounds. See Section 2 for a formal definition. 


1.3 Reductions Quality Issues. 

The security of leakage-resilient stream ciphers is always proven by a reduction to 
underlaying more standard components, as pseudorandom generators, extractos, 
pseudorandom functions, whose security is generally well understood. Proving 
these bounds is challenging and still we can only prove quite poor bounds, unless 
we impose strong idealistic assumptions. Below we elaborate more on this topic. 


(a) Significant security losses in the standard model. Reduction proofs yield quite 
weak bounds, and this is common for all related works. For leakage-resilient 
stream ciphers we have to lose a constant fraction of the security compared 
to its original level, even if the leakage is just one bit! 

(b) No provable security with standard building bricks. When we aim for the 
(provable) security level recommended nowadays, which is at least 80 bits, 
we need to start with primitives (like block ciphers) whose security is bigger 
than 400 bits, given current knowledge. This is a direct consequence of the 
issue with weak reductions we mentioned above. 

(c) Different bounds are hard to compare. Depending on the technique, different 
bounds are obtained. Formulas offer security against different adversarial 
profiles - running time, success probability, leakage length. 

1.4 Problem and results, informally 

Motivated in studying the quality of reductions, we state our problem as a series 
of questions. We briefly answer them here, announcing our results informally, 
and discuss in the next section in more detail. 

Ql: How tight are reduction-based security proofs for leakage-resilient 
stream ciphers? 

We revisit the best known bounds and analyze the tightness of reductions using 
time-success ratios. We discuss these tools in more detail in the next section. 

Al: All results loses more than 75% of the original security (measured 
in bits), paying for the resilience feature. This holds even for one bit of 
leakage per computation! 

The second issue we address is how far we really are from having provable security 
for constructions instantiated from practically used components. 

Q2: Can we instantiate a leakage-resilient stream cipher, provable secure 
in the standard model, with a standard (128 or 256-bit) block cipher as 
a weak PRF? 

The most serious attempt to achieve meaningful security using standard 256- 
bit block ciphers is due to Pietrzak and Jetchev [,JP14], They improved and 
simplified bounds for the EUROCRYPT’09 stream cipher. However, as we will 
explain later, the better of the two claimed bounds doesn’t apply because of a 
flaw in the proof [ he]. 

A2: No, given the current state of art. The recent analysis from TCC’14 
which gives an affirmative answer, contains a flaw. We will discuss it in 
Section 4.3. 

Because of the lack of a positive answer above, it is natural to ask how strong 
our starting primitive needs to be, given current proof techniques. We believe 
that it is of interests to know how far we are with provable secure bounds from 
the idealized bounds, especially that this approach seems to be relatively rarely 
taken. 


Q3: What a weak PRF do we need to achieve the recommended security 
level of 80 bits, given the known techniques? 

Using our time-success ratio analysis we given an answer 

A3: At least with 512 bits of security (and assuming small leakage). We 
propose to instantiate with SHA512 as a weak PRF. 


1.5 Results and techniques in details. 

Flaws in the recent analysis of the EUROCRYPT’09 stream cipher. Pietrzak 
and Jetchev came up with an elegant idea to simplify the security proof of the 
EUROCRYPT’09 stream cipher built from a weak PRF. To this end, they prove 
a theorem about simulating auxiliars inputs, giving two alternative proofs [JP14]. 
One of them would imply good security in the standard model, with AES used as 
the weak PRF (for the first time). Unfortunately, as we point out in Section 4.3 
in this paper, the proof of this stronger bound is wrong. For this reason, only 
the second much weaker bound applies so we cannot prove meaningful security 
instantiating the stream cipher with a standard 256 block cipher, like AES. 

An improved simulator for auxiliary inputs and better security for the EURO- 
CRYPT’09 stream cipher. We don’t know how to fix the issue with the flawed 
analysis in [JP14]. However, we improve the alternative proof of the simulating 
lemma by a significant factor, which gives a better analysis of the stream cipher 
than the [JP14], Our proof might of independent interest because of the proof 
technique, which utilizes a variant of the Baron-Maurey approximation theorem. 
We refer the reader to Theorem 3 in Section 4.3 for more details. 

A framework to compare different reductions. Bellare,Rogaway [BR96] were first 
who emphasized the importance of studying the tightness of security proofs in 
practical applications. Following the approach proposed by Luby [LM94], based 
on time-success ratio (see Section 2.2), we provide a general tool for determining 
the security of every stream cipher reducing to a weak PRF. Technically, by 
constrained optimization we determine the time-success ratio of a stream cipher 
from the security of its main building component. This approach is used in 
different area of provable security (cf. [ 5L13] and many similar works), but 
to our knowledge has never been taken with respect to leakage-resilient stram 
ciphers (in particular in all the works we cite). 

A clear security loss formula. We abstract the “typical form” for the loss in 
most reductions from a stream cipher to the underlying weak PRF. Namely the 
time/advantage pairs, describing adversarial resources and success probability, 
for the original primitive (s, e) and for the cipher are related as e' = e A 

and s' = s ■ e c — e~ B for some explicit constants A, B , C in the exponents. 
Extending slightly this model to capture leakage-depended factors, we actually 
cover all related works. We solve the related optimization program and show 


how explicitly the time-success ratio degradation depends on these constants 
(see Section 4.2). It turns out that remains is a fraction of roughly ~ b+c'+i 
of the original security (measured in bits). For all known constructions, this is 
smaller than 25%. 

A survey of known results. We present the time-success ratio analysis of wPRF- 
based leakge-resilient stream ciphers. The lack of such results is perhaps partially 
because of complicated formulas, and partially because in folklore these bounds 
are considered mainly of theoretical interests. Yet, we believe that comparing 
these bounds is interesting, in particular with respect to the “dream bounds” 
corresponding to the flawed analysis in [ P 14] , which - if can be proven - gives a 
much better security level than other techniques. For more details, see Section 5. 

2 Preliminaries 

2.1 Leakage resilient cryptography 

We start with the definition of weak pseudorandom functions, which are com- 
putationaly indistinguishable from random functions, when queried on random 
inputs and fed with iniform secret key. 

Definition 1 (Weak pseudorandom functions). A function F : {0, l} fe x 
{0,1}” -t {0, l} m is an (e, s, q)-secure weak PRF if its outputs on q random 
inputs are indistinguishable from random by any distinguisher of size s, that is 

|Pr[D ((XOLt -F((/«)? =1 ) = 1] - Pr [D ((*)£=! , (Ri)Ui) = l]l < * 

where the probability is over the choice of the random Xi <— {0, l} n , the choice 
of a random key K ■<— {0,1}^ and Ri ■<— {0,l} m conditioned on Ri = Rj if 
Xi = Xj for some j < i. 

Stream ciphers generate a keystream in a recursive manner. The security requires 
the output stream should be indistinguishable from uniform 1 . 

Definition 2 (Stream ciphers). A stream-cipher SC : {0,l} fc —> {0, l} fe x 
{0,1}" is a function that need to be initialized with a secret state Sq € {0,1}^ 
and produces a sequence of output blocks X\,X 2 ,... computed as 

{Si,Xi) := SC(S'j_ 1 ). 

A stream cipher SC is (e, s, q)-secure if for all 1 ^ ^ q, the random variable Xi 

is (s, e) -pseudorandom given Xi,..., Xi_i (the probability is also over the choice 
of the initial random key So). 

1 We note that in a more standard notion the entire stream X\ ,... , X q is indistin¬ 
guishable from random. This is implied by the notion above by a standard hybrid 
argument, with a loss of a multiplicative factor of q in the distinguishing advantage. 




Now we define the security of leakage resilient stream ciphers, which follow the 
“only computation leaks” assumption. 

Definition 3 (Leakage-resilient stream ciphers). A leakage-resilient stream- 
cipher is (e, s, q, \)-secure if it is ( e,s,q)-secure as defined above, but where 
the distinguisher in the j-th round gets A bits of arbitrary deceptively chosen 
leakage about the secret state accessed during this round. More precisely, be¬ 
fore ( Sj,Xj ) := SC(Sji) is computed, the distinguisher can choose any leakage 
function fj with range {0,1} A , and then not only get Xj, but also Aj := fj(Sji), 
where Sj i denotes the part of the secret state that was modified (i.e., read and/or 
overwritten) in the computation SC(Sji). 

2.2 Time-Success Ratio 

The running time (circuit size) s and success probability e of attacks (practical 
and theoretical) aggainst a particular primitive or protocol may vary. For this 
reason Luby [! ] introduced the time-success ratio - as a universal measure 

of security. This model widely used to analyze security, cf. [BL13] and related 
works. 

Definition 4 (Security by Time-Success Ratio [LM94]). A primitive P 
is said to be 2 k -secure if for every adversary with time resources (circuit size in 
the nonuniform model) s, the success probability in breaking P (advantage) is at 
most e < s ■ 2~ k . We also say that the time-success ratio of P is 2 k , or that is 
has k bits of security. 

For example, AES with a 256-bit random key is believed to have 256 bits of 
security as a weak PRF 2 . 

3 Leakage-Resilient Stream Ciphers Design 

Tn this section we briefly discuss the known constructions of leakage-resilient 
stream ciphers in the standard model (without random-oracle assumptions) 

3.1 The very first idea (FOCS’08) 

The first construction of leakage-resilient stream cipher was proposed by Dziem- 
bowski and Pietrzak in [DP08]. It has the characterstic alternating structure 
which allows for proving security against adaptively chosen leakage. 

3.2 A construction based on a wPRF (EUROCRYPT’09) 

On Figure 1 below we present a simplified version of this cipher [ ic09] based 
on a weak pseudorandom function (wPRF). A weak pseudorandom function is a 
primitive which “looks” like a random function when queried on random inputs, 
see Section 2 for a formal definition. 

2 We consider the security of AES256 as a weak PRF, and not a standard PRF, because 
of non-uniform attacks which show that no PRF with a k bit key can have s/e « 2 k 
security [DTT09], at least unless we additionally require e 2 _fe ^ 2 . 



Lq L 2 



Fig. 1: The EUROCRYPT’09 stream cipher (adaptive leakage). F denotes a 
weak PRF. By Ki and Xi we denote, respectively, values of the secret state 
and keystream bits. Leakages are denotted in gray with Li. 


3.3 Saving key randomness (CSS’10, CHESS’12) 

A slightly different approach is proposed in [YSPY10]. The authors argue that 
side-channel attacks in practice are mounted against a specific target, and re¬ 
quire speficic measurements equipment; thus adaptive security is somewhat an 
overkill. The second observation is that the cipher in [Pic09] seems to waste 
lots of randomness, because the security in best case is only comparable to the 
length of one secret key, whereas the cipher is initialized with two random keys 
(denoted with I\q,K\ on Figure 1). They remove the alternating structure and 
use only one key and two alternating public random values, aiming at (weaker) 
non-adaptive security. Unfortunately, the proof that these two alternating pub¬ 
lic values are enough were wrong, as pointed out in [ PS12] . However one gets 
provable non-adaptive security, assuming that every round uses fresh random¬ 
ness [FPS12], Such a big amount of randomness makes the cipher inpractical, 
but the authors show how to reduce it further. Summing up, one gets only non- 
adaptive security but saves secret randomness replacing the “wasted” key by a 
public string. The scheme is illustrated in Figure 2 below. 

3.4 Saving public randomness (CT-RSA’13) 

The problem with large public randomness, required for the last cipher, was 
addressed in [YSPY10]. The public values, required in the previous construction, 
are generated on-the-fly from a single public value, by running a strong PRF 
in counter mode on it. For an illustration, see Figure 3 below. The result is 
only conditional and holds in the hypothetical world minicrypt, where one-way 
functions exist, but there is no public-key cryptography. Still, it may be a good 
clue on what we should aim for, when we want provable security in the standard 
model. 
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Fig. 2: The CSSTO/CHESS’12 stream cipher. F denotes a waek PRF. By Ki 
and x, we denote, respectively, the values of secret state and keystream bits. 
Leakages are denoten in gray with Li. The cipher requires public independent 
random values pt . 



Fig. 3: The CTR-RSA’13 stream cipher (nonadaptive leakage, minicrypt). F is a 
weak PRF and G is a strong PRF. By K t and Xi we denote, respectively, the 
values of secret state and keystream bits. Leakages are denoted in gray with 
Li. The function F generating the keystream is rerandomized using values pi, 
produced by G in counter mode from the single public seed s. 





4 Results 


4.1 The time-success ratio under reductions 

We consider first a very abstract setting, where a primitive P' is built from P. 
Assume, that the security of P' reduces to the security of P in the following 
quantitative way: 

R: If P is secure against an adversary (s,e), then P' is secure against 
any adversary ( s',e'), where 


s' =p(s,e), 
e' = q(s,e) 


(1) 


for some functions p(-),q(-). 

In the simpletst case, the functions p(-) and q(-) are algebraic functions of original 
parameters, like e' = e 1 / 2 or s' = se 2 (the second case appears particularly 
often as a result of the Chernoff Bounds). In leakage-resilient cryptography these 
formulas are more complicated and typically involve some additional parameters, 
like the leakage length or the number of queries. The natural question here is 
how the security, understood as in Definition 4, of the two primitives P and 
P' are related to each other. Before we give the answer (the proof appears in 
Appendix A. 

Theorem 1 (The time-success ratio as min-max optimization). Let se¬ 
curity of P' reduces to security of P as in Equation (1). If P has k bits of 
security then P' has k' bits of security where k' is the maximal value such that 
the following program 


minimize maximize 

(s',e') (s,e) 


S.t. 


e! 

s' , 

- < 2 fe , 1 ^ s', 0 < e' 
€ 

- < 2 fe , 1 < s, 0 ^ e 
e 

s' ^ p(s,e), e' > g(s,e) 


( 2 ) 


has a positive finite value. 

Remark 1. If we cannot find a pair (s, e) corresponding to {s ', e') then the feasible 
set in Equation (2) is empty, so that the value of the program becomes — oo. 


4.2 The time-success ratio under algebraic transformations 

In the most typical case we can solve Equation (2) explicitly, as shown by 
Theorem 2 below. 



Theorem 2 (Time-success ratio for algebraic transformations). Let a, b , c 

and A, B , C be positive constants. Suppose that P' is secure against adversaries 
( s',e '), whenever P is secure against adversaries (s, e), where 



( 3 ) 


In addition, suppose that the following condition is satisfied 


i4<C + l. 


( 4 ) 


Then the following is true: if P is 2 k -secure, then P' is 2 k -secure where 


A 


k + 


A 


yypy (log c log b) log a, b^l 
CTT^ + cTT 1°S C _ l°g a ; b = 0 


k! = 


B+C +1 


B+C+l 


( 5 ) 


The proof is elementary though not immediate. It appears in Appendix B. 

Remark 2 (On the technical condition (4)j. This condition is satisfied in almost 
all applications, at in the reduction proof typically e! cannot be better (meaning 
higher exponent) than e. Thus, quite often we have A ^ 1. 

4.3 An error in the recent EUROCRYPT’09 stream cipher analysis 
(TCC’13) and our improvement 

Simulating auxiliary inputs. In [J ] there is the following theorem (here we 
state the correct version [Pie]): 

Lemma 1 (Simulating auxiliary inputs). For any random variable X £ 
(0,1}", any correlated Z £ {0,1} A and every choice of parameters (e, s ) there is 
a randomized function Sim : {0, l} n —> {0,1} A of complexity O (s • 2 4A e -4 ) such 
that Z and Sim ( X ) are (e, s)-indistinguishable given X. 

This theorem is the core of the improved analysis of the EUROCRYPT’09 stream 
cipher. Using it, as decribed in [ fP 14] , one proves the resilience of the cipher if 
the underlying weak PRF is (s, e)-secure against two queries on random inputs. 

More on the flaws. In the claimed better bound O (s • 2 3A e -2 ) there is a mistake 
on page 18 (eprint version), when the authors enforce a signed measure to be a 
probability measure by a mass shifting argument. The number M defined there 
is in fact a function of x and is hard to compute. The original proof asumes that 
this is a constant independent of x. In the alternative bound O ( s ■ 2 3A e -2 ) a 
fixable flaw is a missing factor of 2 A in the complexity (page 16 in the eprint 
version), which is because what is constructed in the proof is only a probability 
mass function, not yet a sampler [Pie], 




Our improvement. We don’t know how to reduce the exponent in e. However, 
we can improve the constant in the exponent of A, from 4 to 2. This is significant 
for the application to the cipher, as we improve its security by a factor of 2 e ( A ), 
which is typically of order G(e~ 1 ) (see [JP14,Pie09]). 

Theorem 3 (Better simulating auxiliary inputs), for every distribution 
X , Z on X x {0,1} A and every e, s there exists a “simulator” h : X —>• {0,1} A 
such that (a) the distributions of(X, h(X)) and (X , Z) are (s, e) -indistinguishable 
and (b) h is of complexity Sh = O (s ■ 2 2A e~ 4 ). 

5 Survey of security bounds 

In Table 1 below we present the comparison of different bounds for leakage- 
resilient stream ciphers built from weak PRFs. We assume that the number 
of blocks q is constant. Without loosing generality, we assume that the time- 
advantage ratio for our PRF is constant, that is s/e « 2 fc where k is the key 
length. This corresponds to the assumption that the best attack is a brute-force 
search 3 . This assumption is reasonable, for example best block ciphers like AES 
are believed to have such security as PRFs. The security level is computed from 
Theorem 2 by putting the bounds from the related works (we omit computa¬ 
tions). 


Cipher 

Analysis 

Proof techniques 

Security level 

Comments 

(i) 

[Pie09] 

Pseudoentropy chain rules 

k' "C ifc 

large number of blocks 

(i) 

14] 

Aux. Inputs Simulator (corr.) 

h' — — - A 


(i) 

13] 

Aux. Inputs Simulator 

k' fa 1 - ±A 


(i) 

This work 

Aux. Inputs Simulator (impr.) 

h' ~ k I x 


(i) 

Dream bound 

Aux. Inputs Simulator (impr.) 

k'~\- A 

unproven (the flaw) 

(2) 

[FPS12] 

Pseudoentropy chain rules 

« f - f A 

large public seed 

(3) 

13] 

Square-friendly apps. 

* « Z “ 1 A 

only in minicrypt 


Table 1: Different bounds for wPRF-based leakage-resilient stream ciphers, k is 
the length of the secret key for the wPRF. The value k! is the security level 
for the cipher, understood in terms of time-success ratio, the numbers denote: 
(1) The EUROCRYPT’09 cipher, (2) The CSST0/CHESST2 cipher, (3) The 
CT-RSA’13 cipher. 


It seems that the best cipher (in the standard model) is the EUROCRYPT’09 
cipher. It provides the adaptive security in the standard model and loses about 
| of its original security (the best analysis is due to Vadhan, the second best 
is this paper). The CSST0/CHESST2 loses about | of its original security but 
requires large public randomness. 

3 This is not the case of assymetric primitives: consider e.g.RSA,here given our current 

understanding of the hardness of factoring, e goes from basically 0 to 1 as the running 
time s reaches the time required to run the best factoring algorithms. 
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A Proof of Theorem 1 

We notice that we are looking for the biggest value k! such that for every (s', e 1 ) 
satysfying s' > 1, e' ^ 0, 2 k > s'/e' there exist some values (s,e) such that 
s ^ 1 , e ^ 0, s' < p(s,e), e' ^ q(s,e) and 2 fc ^ s/e. for given values (s',e') we 
can choose (s, e) so that the ratio s'/e' is possibly maximal, provided that the 
constraint s/e ^ 2 k is satisfied. Taking into account the quantifiers every and 
some we get the following min-max characterization 


B Proof of Theorem 2 

Proof. Consider the program in Theorem 1. In our setting we have 

p(s, e) = s • ce c — be~ B 
q(s,e) = ae A 

The constraint s' ^ 1 is equivalent to 

s^c- 1 (l + be- B )e~ c (6) 

Thus, the all constraints on s can be written as 

c~ 1 (l + be~ B )e~ c ^ s, s ^ 2 fe e, s'< p(s, e). 

By definition p(-) is increasing in s. Therefore we can assume that 

- = 2 k . (7) 

e 

The constraint e' 0 simply reduces to e ^ 0. Thus, the all constraints where e 
is involded are 


0 < e, s < 2 k e, q(s, e) < e' 


Since q(-) is increasing, we can assume that e' = q(s, e), or in other words that 


e' = ae A . (8) 

Given Equations (7) and (8) the maximum part of the optimization is eliminated. 
Our task reduces to minimizing the following expression 

— = s . l e C-A _ t[ e -B-A 
e' a a 

= e~ A (-- 2 k e c+1 - -e~ B ) . 

\a a ) 

over ( s',e') or equivalenty over s,e (given the equalities (7) and (8)), provided 
that Equation (6) is satisfied. Thus we obtain the following problem in one vari¬ 
able 


minimize a 1 e A (2 k c ■ e c+1 — be B ) 
s.t. 2 k c ■ e c+1 — be~ B ^ 1. 


( 9 ) 


Now everything depends on the behavior of the objective function 

f{u) = ^. u c+i-A_b u -b-a 
a a 

However the condition (4) implies that f(u) is increasing. Thus, it attains its 
minimum on the boundary point, which is given by 

2 k c ■ e c+1 — be~ B = 1. (10) 


The objective function evaluated at this point gives us 

/(e) = a ~ 1 e~ A 


Note that from Equation (10) it follows that 

2 k c ■ e B+c+1 =b + e B 


( 11 ) 


If b ^ 1 we obtain e B + c + 1 ss 2 k bc 1 (up to a multiplicative factor of at most 
2). If b = 0 then e c+1 ss 2 -fc c -1 . 


C Proof of Theorem 3 

Proof (of ??). In the first step we show how to construct a simulator h = h° 
for one circuit D of size s. 

Claim 1 (A perfect simulator for any any fixed real-valued distinguisher). For 
any [0, l]-valued D of size s there exists a function h d : T —>■ {0, l} m of com¬ 
plexity O ( s ■ 2 m ) such that E D(X, Z) = ED(X, h(X)). 


Proof (of Claim 1). Let hj and h D be functions such that 


D(x, h n (x)) = minD(:r, z), D(x, hjt(x)) = maxD(:r, z) 

Z Z 


Both functions can be computed by enumerating over all z G {0,l} m , using 
2 • 2 m calls to D. For any X, Z we have 

E D(i,/if(i))^ED(I,2)^ E D(x,ht(x)) 

x-^X x<—X 


Therefore there exists a number 7 d G [0,1] such that 

ED(X, Z) ='jo E D(x, ftp (a:)) + (1 — td) E D(x, h^(x)). 

X-t—X X4—X 

We define h(x) = ho(x) as follows: sample r G [0,1]; if r < 7 then we output 
hf ) (x) else we output h(f(x). 

Now we apply the min-max theorem in a standard way to change the order of 
quantifiers. 

Claim 2 (One simulator for all distinguishers). There exists a distribution h on 
functions h of complexity O (s ■ 2 m ) such that |E D(X, Z) — E^^ D(X, h(X))\ C 
e for all D of size se 2 . 

Proof. By a standard application of the min-max theorem combined with the 
Chernoff Bound (see [BSW03] for esentially the same technique) we get that 
there is a distribution h such that for all D of size se 2 we have ED (X,Z) — 
D(X, h(X)) ^ e. Since this holds for D and D c for any D of size s, the 
result follows. 

In the last step we approximate this possibly inefficient simulator in the statis¬ 
tical distance. 

Claim 3 (One efficient simulator for all distinguishers). There exists a simulator 
h of complexity O (s • 2 2 m e -2 ) such that | E D(X, Z) — E D(X, h(X))| ^ 2e for 
all D of size se 2 . 

Proof (Proof of Claim 3). Let ho be the inefficient simulator guaranteed by 
Claim 2. We know that ho is of the following form 

Px,/ioPO = E_P xMx) (12) 

h<—h xi X h<—h 

Fix a number t and sample hj •<— h for j = 1,... ,t. For a fixed choice of h\,... ,ht 
we define the randomized function h(x) as follows: Pf,^)^) = t _1 1 Ph j(x )( z ) 

(it simply takes i •<— and outputs hi). Below we assume that x is 


sampled according to X. Let us compute 


E E 

{M‘=i * 




= t~ 2 E E 
2 * { M <=1 


l 

E( P Md(')- p iw(')) 


3=1 


=t~ 2 E 


E E P Mx)(‘)- p 


h(x ) 


i=i 


=* E_E||P h(a:) (-) 2 -E Ps ( x) (0 

\h<—h x x 


Therefore for some choice of hi ,..., h t we have 


E 


P h(x)(') “ P h(x)(') 


2 1 

< - 

2 t 


(13) 


Note that the simple probabilistic proof of Equation (13) resembles the proof of 
Maurey-Jones-Barron Theorem (see Lemma 1 in [?]) on approximating convex 
hulls in Hilbert spaces. Using the fact that |D(-, -)| < 1 and inequality between 
the first and the second norm 

E D(A', h(X)) - E D(X, h(X)) = E |E D(x, h(x)) — ED(x, h(x)) I 


^ E 


P ii(x)(') _ p h (x)(0 


h(x) v 


^ 2 m / 2 . (e || p h( x )(‘) — p /i(x)(')|| 2 ) ^ (14) 

Combining Equation (13) and Equation (14) we get for some choices of hi,..., ht 
E D(A, h(X)) — E D(X, h(X)) < (2 m t" 1 )^ (15) 


Setting t = 2 m e 2 we finish the proof. 


The result follows now directly from Claim 3, for real-valued, circuits. Up to an 
error of S = 2~ p in the advantage, we can approximate them by circuits taking 
values in the discrete set {2 -p , 2 • 2 _p ,..., 1}. Any such a circuit D we start our 
proof with, can be viewed as a combination of 

(a) the coding vector of p circuits of size s, computing the first p 

V J i =1 

digits of the binary expansion of the output 

(b) the decoding circuit of size 2 p which uses additional p random bits to read 

^D^(x, 2 ;)^ and to output 1 with probability D(x, z) (in the Uth round it 


toss a coin and either halts and outputs D*(x, z) or it moves to the round 
i + 1; in round n + 1 the output is 0) 


Now, the correct complexity for h in Claim 1 and ?? is O (s ■ 2 m p), by the use 
of sorting network. Setting p = log(l/e) we see that we lose O (s • 2 m log(e -1 )) 
in the simulator complexity. 




































